[pcf] Protect against invalid number of TOC entries (#46159).
* src/pcf/pcfread.c (pcf_read_TOC): Check number of TOC entries against size of data stream.
This commit is contained in:
parent
06c2d3324e
commit
d98053c997
|
@ -1,3 +1,10 @@
|
||||||
|
2015-10-08 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
|
[pcf] Protect against invalid number of TOC entries (#46159).
|
||||||
|
|
||||||
|
* src/pcf/pcfread.c (pcf_read_TOC): Check number of TOC entries
|
||||||
|
against size of data stream.
|
||||||
|
|
||||||
2015-10-08 Werner Lemberg <wl@gnu.org>
|
2015-10-08 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
[type42] Protect against invalid number of glyphs (#46159).
|
[type42] Protect against invalid number of glyphs (#46159).
|
||||||
|
|
|
@ -102,11 +102,19 @@ THE SOFTWARE.
|
||||||
FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) )
|
FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) )
|
||||||
return FT_THROW( Cannot_Open_Resource );
|
return FT_THROW( Cannot_Open_Resource );
|
||||||
|
|
||||||
if ( toc->version != PCF_FILE_VERSION ||
|
if ( toc->version != PCF_FILE_VERSION ||
|
||||||
toc->count > FT_ARRAY_MAX( face->toc.tables ) ||
|
toc->count == 0 )
|
||||||
toc->count == 0 )
|
|
||||||
return FT_THROW( Invalid_File_Format );
|
return FT_THROW( Invalid_File_Format );
|
||||||
|
|
||||||
|
/* we need 16 bytes per TOC entry */
|
||||||
|
if ( toc->count > stream->size >> 4 )
|
||||||
|
{
|
||||||
|
FT_TRACE0(( "pcf_read_TOC: adjusting number of tables"
|
||||||
|
" (from %d to %d)\n",
|
||||||
|
toc->count, stream->size >> 4 ));
|
||||||
|
toc->count = stream->size >> 4;
|
||||||
|
}
|
||||||
|
|
||||||
if ( FT_NEW_ARRAY( face->toc.tables, toc->count ) )
|
if ( FT_NEW_ARRAY( face->toc.tables, toc->count ) )
|
||||||
return FT_THROW( Out_Of_Memory );
|
return FT_THROW( Out_Of_Memory );
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue